CMMC Requirements: Levels 1-5 Explained
The Department of Defense (DoD) has over 300,000 companies in its defense industrial base that may have access to government-sensitive information. To safeguard federal contract information (FCI) and controlled unclassified information (CUI) on the contractors’ information systems and control the rise of cybercrime and its devastating effects, DoD has developed the Cybersecurity Maturity Model Certification (CMMC) framework.
Before CMMC, contractors were accountable for implementing and monitoring their own cybersecurity best practices. But now, the CMMC framework comes with a certification program and DoD will appoint its own certification body to audit and validate the implementation of the contractors’ cybersecurity infrastructure.
CMMC Requirements, Explained
The CMMC establishes five certification levels that contractors need to comply with to bid on future contracts. For an organization to achieve a specific CMMC level, it must also prove compliance with the preceding lower levels.
The CMMC levels’ focus is on the type and sensitivity of information and threats: level 1, safeguarding FCI; level 2, serves as a transition step in cybersecurity maturity progression to protect CUI; level 3, protecting CUI; and level 4-5, protecting CUI and reducing the risk of Advanced Persistent Threats (APTs).
For a more detailed explanation, below are DoD’s five CMMC levels with their corresponding processes and practices:
CMMC Level 1
Level 1 requires that an organization performs the specified practices. Since an organization may only be able to perform these practices in an ad-hoc manner and may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”).
CMMC Level 2
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.
Practices: Intermediate Cyber Hygiene
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST 800-171, as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices references the protection of CUI.
CMMC Level 3
Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171, as well as additional practices from other standards and references to mitigate threats.
Note that DFARS clause 252.204-7012 (‘Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.
CMMC Level 4
Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher-level management of status or issues on a recurring basis.
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B, as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.
CMMC Level 5
Level 5 requires an organization to standardize and optimize process implementation across the organization.
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
It is important to note that the CMMC framework consists of 171 practices distributed across the five levels for all capabilities and domains. So if a contractor is to work on a level 5 contract, his company will need to comply with level 5 requirements plus all the requirements of levels 1-4 for a total of 171 practices. Contractors should begin taking immediate steps to learn the CMMC’s technical requirements and prepare their cybersecurity infrastructure and/or best practices to be at par with the CMMC framework. Failure to do so could bode problems with their ability to compete for work.
For contractors that are just starting to adapt to the CMMC standards, it may come across as an overwhelming task. Seeking help from a security expert can equip your organization to fully understand all the details.
Ensure Compliance with an Expert
Dynamic Systems has been helping federal agencies and their partners to accelerate transformation and ensure business continuity. As an organization that has previously worked with government contractors under the DoD, we are familiar with cybersecurity standards and are constantly upgrading our security solutions based on the latest cybersecurity and compliance trends.